Single-emitter quantum key distribution over 175 km of fibre with optimised finite key rates

Quantum key distribution with solid-state single-photon emitters is gaining traction due to their rapidly improving performance and compatibility with future quantum networks. Here we emulate a quantum key distribution scheme with quantum-dot-generated single photons frequency-converted to 1550 nm, achieving count rates of 1.6 MHz with \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${g}^{\left(2\right)}\left(0\right)=3.6\%$$\end{document}g20=3.6% and asymptotic positive key rates over 175 km of telecom fibre. We show that the commonly used finite-key analysis for non-decoy state QKD drastically overestimates secure key acquisition times due to overly loose bounds on statistical fluctuations. Using the tighter multiplicative Chernoff bound to constrain the estimated finite key parameters, we reduce the required number of received signals by a factor 108. The resulting finite key rate approaches the asymptotic limit at all achievable distances in acquisition times of one hour, and at 100 km we generate finite keys at 13 kbps for one minute of acquisition. This result is an important step towards long-distance single-emitter quantum networking.

Quantum key distribution with solid-state single-photon emitters is gaining traction due to their rapidly improving performance and compatibility with future quantum networks. Here we emulate a quantum key distribution scheme with quantum-dot-generated single photons frequency-converted to 1550 nm, achieving count rates of 1.6 MHz with g 2 ð Þ 0 ð Þ = 3:6% and asymptotic positive key rates over 175 km of telecom fibre. We show that the commonly used finite-key analysis for non-decoy state QKD drastically overestimates secure key acquisition times due to overly loose bounds on statistical fluctuations. Using the tighter multiplicative Chernoff bound to constrain the estimated finite key parameters, we reduce the required number of received signals by a factor 10 8 . The resulting finite key rate approaches the asymptotic limit at all achievable distances in acquisition times of one hour, and at 100 km we generate finite keys at 13 kbps for one minute of acquisition. This result is an important step towards long-distance single-emitter quantum networking.
Future quantum networks will require bright low-noise sources of single photons to enable applications including secure communication and distributed quantum computing 1 . There is a range of promising platforms for such a source, including quantum dots, molecules, quantum emitters in two-dimensional materials such as WSe 2 and hBN, and colour centres in wide band-gap materials such as diamond and SiC. Comparing these platforms for single-photon emitters, quantum dots (QDs) have demonstrated the highest count rates with the lowest multiphoton emission probability [2][3][4] .
Fibre-based QKD requires single-photons at 1550 nm where loss in fibre is lowest. This can be realised with QDs in two ways, fabricating the QD to emit directly at 1550 nm or using quantum frequencyconversion to shift the wavelength of a QD which emits at shorter wavelengths to 1550 nm. The best available QDs in all relevant metrics emit at shorter wavelengths [2][3][4] , although recent improvements have been made with C-band emitters in terms of brightness and multiphoton noise but not coherence 5 . Quantum frequency-conversion has been shown to be a viable route to realise a bright, coherent telecom QD single-photon source with low multiphoton noise, leveraging the performance of shorter wavelength QDs [6][7][8] .
In this work, we demonstrate Bennett-Brassard '84 (BB84) QKD 9 using a bright frequency-converted QD source over optical fibre. In the asymptotic case the source outperforms previous demonstrations of prepare-and-measure QKD with single-photon emitters in terms of achievable key rate and maximum tolerable loss thanks to the brightness and low g 2 ð Þ 0 ð Þ of our source, see Table 1. In the composable security framework, we use improved analytical bounds for the random sampling without replacement problem related to the phase error rate and the multiplicative Chernoff bound that has been proven to be a tighter finite key bound in other contexts 10 . These bounds are used to calculate the fluctuations between expected and observed values.
The finite key treatment implemented in this work reduces the number of signals Bob must receive to approach the asymptotic case from 10 15 to 10 7 compared with widely used previous single-photon source QKD analyses. Equivalently, the integration time required to approach the asymptotic case is reduced from 10 4 years to just one hour.

Experimental setup
The experimental setup including single-photon source, communication channel and receiver is shown in Fig. 1. The quantum light source consists of an InGaAs/GaAs quantum dot inside an oxideapertured micropillar 11 emitting photons at 940 nm. The QD is excited using a dark-field confocal microscope; single photons are collected in a cross-polarised scheme with 10 7 suppression of the excitation laser. The QD is operated under pulsed quasi-resonant excitation using the third order cavity mode detuned by 440 GHz from the QD emission. This quasi-resonant excitation has strongly damped photon-number coherence compared to resonant excitation of the source 6 , this allows the output photon number states to be treated as mixed 12 with no inter-pulse coherence. Femtosecond pulses from a Ti:Sapphire laser are stretched to 30 ps using a 4f Fourier pulse shaper and temporally multiplexed up to 160.7 MHz. We measure ≈5 MHz count rate with a g 2 ð Þ ð0Þ = 0:019ð1Þ directly from the QD. The single-photon emission is converted to 1550 nm in a difference frequency generation (DFG) process in a 48 mm periodically-poled lithium niobate (ppLN) waveguide pumped by a 2400 nm continuous-wave laser. The internal conversion efficiency of the DFG process is 57%. Further details on the source can be found in ref. 6.
The four BB84 polarisation states H,V ,D,A f gare encoded using a motorised half-wave plate. Photons are then transmitted through the quantum channel consisting of SMF-28 fibre spools with an average propagation loss of 0.1904 dB/km including connectors. The fibre is housed in an insulating box to reduce temperature fluctuations, which keeps the fibre-induced polarisation rotation stable over the typical acquisition time of 30 min per polarisation state.
The BB84 receiver consists of a 50/50 fibre beam-splitter followed by two polarising beam splitters and in-fibre polarisation controllers to project into the H/V and D/A basis respectively. Photons are detected with superconducting nanowire single-photon detectors (SNSPDs).
The average transmittivity of the four arms of the receiver is 87% including relative efficiency of each detector measured by comparing the count rate observed on each detector with a reference parametric down-conversion source. The SNSPDs are biased to have an average dark count rate of 11.5 Hz at the cost of 5-10% of the peak efficiency. The detectors are time gated around the arrival time of the signal photons to reduce the effect of dark counts (see Fig. 2), the average time gate across all distances is 3.19 ns. This gives a dark count probability per pulse of p dc = 3.67 × 10 −8 .

Asymptotic key rate
We send each of the BB84 states H, V , D, A f gin turn and record at least 5 × 10 6 detected events for each state for seven distances between 0-175 km. The probability that a given round registers in one of Bob's detectors, p click , is estimated as the ratio of detected events to the number of clock pulses from the Ti:Sapphire which are recorded over the integration period. For convenience, we assume equal probabilities for both bases, i.e. p dc p X dc p Z dc and p click p X click p Z click . We measure a count rate of 1.6 MHz in Bob's receiver at zero distance. This gives a mean photon number of 〈n〉 = 0.0142 injected into the communication channel backing out the known receiver transmission, the relative efficiency on average due to the measured losses of each detector ≈87% ð Þand the estimated quantum efficiency of the detectors ≈75% ð Þ. The quantum bit error rate (QBER) e X/Z , in the X or Z basis is calculated by comparing the ratio of detected events for the state orthogonal to Alice's encoded state to the total number of detected  Bob's receiver passively chooses between X and Z basis measurements using a 50/ 50 fibre beam-splitter (BS). Projections are made using polarising beam-splitter (PBS) cubes and in-fibre polarisation controllers (PC) to align the measurement basis. events in that basis. By fitting the measured QBER to the average polarisation misalignment p mis can be extracted, which typically is found to be p mis = 0.3% 13 . T represents the total optical efficiency from the quantum channel to Bob's detection apparatus. The dark count probability p dc and mean photon number 〈n〉 are held as fixed parameters. With p click , e X/Z , 〈n〉 and g 2 ð Þ ð0Þ experimentally characterised it is possible to calculate the asymptotic key rate (AKR) according to 14,15 where p sift = p 2 X + ð1 À p X Þ 2 is the sifting ratio for the key generation bits assuming both bases are used, p X is the basis bias, H x ð Þ is the binary Shannon entropy and f EC x ð Þ> 1 is the error correction efficiency factor.
For the experimental setup presented here p sift = 1 2 which allows for a comparison to previously published work (Table 1). For f EC x ð Þ we use values linearly interpolated between those reported in ref. 16 (typically f EC = 1.16 for the range of error rates seen in the experiment). A = p click À p m À Á =p click is the fraction of signals which are single-photon pulses and p m is the upper bound on the probability that Alice emits a multiphoton pulse taken to be p m ≤ g 2 ð Þ ð0Þhni 2 =2 13 . From the measured 〈n〉 = 0.0142 and g 2 ð Þ ð0Þ = 0:036ð3Þ (see Fig. 2), we estimate p m ≤ 3.63 × 10 −6 without any additional pre-attenuation before the final collection fibre. The small increase in g 2 ð Þ ð0Þ compared to the emission directly from the QD is due to Raman scattering in the frequencyconversion process.
The key rate at shorter distances is increased compared to previous works thanks to the high brightness and temporally multiplexed excitation presented in this work. The maximum tolerable loss is also increased due to the relatively high brightness and low noise compared to previous demonstrations with telecom wavelength QD sources. The current maximum range is limited by p click → p m , at which point the fraction of signals received from single photon pulses goes to zero A → 0, and a secure key is no longer possible. As the multiphoton emission and click probabilities are evaluated on a signal-by-signal basis, the multiplexed excitation does not improve the maximum distance over which a secure key can be extracted.

Finite key analysis
In assessing the performance of a practical QKD system the finite key rate must be considered. To date, most experiments with singlephoton emitters 17,18 have used the method outlined in 15 to derive finite block size estimates of the secure key. Since the publication of 15 , there has been considerable development of tighter statistical estimation bounds, mainly in the context of weak coherent pulse decoy state and entangled protocols. Here, we adapt and employ recent results based on Chernoff bounds to produce significant improvements in the finite key rate. This reduces the block size required for a positive key rate or, conversely, yields a much greater key rate for a fixed block size.
A full derivation of the finite key rate can be found in the Methods section with the main result discussed here. For a finite block size defined as either the number of sent N S or received signals N R , the total secure key length ℓ is, where N X R,nmp is the lower bound on the number of received signals in the key generation basis due to non-multiphoton source emissions (including vacuum and single-photon emissions), ϕ X is the upper bound of the phase error rate in the key generation basis, λ EC is the Asymptotic key rate and quantum bit error rate. a Experimental asymptotic key rate (orange dots) and the theoretical key rate based on the experimentally measured parameters with and without pre-attenuation of Alice's source. The pre-attenuation increases 2.6 dB the maximum tolerable loss. The inset shows a typical data set for Alice sending horizontally polarised photons over 80 km of fibre. Red boxes show the typical time gating used to optimise the key rate.
b Measured error rate as a function of fibre distance. The theory fit is based on Eq. (1) with the experimental parameters listed in the main text. The deviations from the best fit are due to inconsistency in aligning the in-fibre polarisation controller. The QBER at the maximum tolerable loss of~35 dB is~2%. Maximum tolerable loss is primarily limited by the photon-number noise g 2 ð Þ 0 ð Þ= 0:036ð3Þ, shown in the inset of b. information leaked during error correction 19 , and the remaining terms are security and correctness parameters derived using the methods in 20 . The key rate is then defined as r = ' N S and the fixed parameters used are shown in Table 2. The ratio of signals in the key generation basis to the parameter estimation basis, and the additional attenuation Alice adds to the source to reduce the multiphoton emission probability are all numerically optimised for each distance.
The improvement to the finite key rate can be viewed in two different ways: at long distances the block size required to produce the same key rate is massively reduced, Fig. 3a; alternatively, for a fixed acquisition time we can tolerate more loss and achieve the same secure key rate, Fig. 3b. The improvement to the finite key rate is quantified by comparing the number of signals required to approach the asymptotic key rate. To approach the asymptotic key rate with the method of 15 , the received block size has to be on the order of 10 15 , dotted purple curve Fig. 3a. Our results indicate a factor 10 8 improvement, the finite key rate curve reaches the asymptotic limit with Alice's pre-attenuation for just 10 7 received signals. With respect to a fixed acquisition time, previous security analysis restricts the maximum distance over which a key can be exchanged after one second of acquisition time to less than 1 km, Fig. 3b, whereas we calculate a maximum tolerable loss of 26.9 dB which is equivalent to over 140 km of fibre. For all acquisition times considered the analysis presented here can achieve the same key rate over an additional 25 dB of channel loss.

Discussion
We have demonstrated that fibre-based QKD with frequencyconverted quantum dot is possible at high rates for distances and acquisition times relevant for metropolitan communication networks. The source performance exceeds other single-photon emitters suggested for use in QKD systems in terms of key rate and maximum tolerable loss. Combining state-of-the-art QD performance in brightness 2 and multiphoton suppression 21 , with the frequency conversion demonstrated here into one device would allow for key rates comparable to decoy-state QKD with weak coherent pulses. Ultimately, surpassing weak coherent pulse implementations will require sources much closer to the ideal performance of unity collection efficiency with multiphoton emission probabilities approaching zero.
Regarding the key rate introduced with Eq. (3), a more up-to-date version for the terms of the security parameters and an additional fluctuation in the phase error rate due to the random sampling without replacement problem were introduced compared to previous studies. The considerable enhancement of the finite key rate is due to the improved bounds of the statistical fluctuations achieved using the Chernoff bound applied to the number of events versus bounding probabilities as in 22 .
The deviations of the probabilities from the ideal estimate are magnified when expressed in the total number of events, e.g. number of errors and multiphoton emissions, although they might seem to be relatively small 23 . In particular, the Chernoff bound on events provides tighter estimates on the maximum number of multiphoton emissions increasing the single photon yield at longer distances and consequently the key rate.

Click and error probability estimation
In this section, we describe the modelling of click probabilities and error rates to later simulate the detections and error events. First, the click probability in each basis is, where p n is the probability that a pulse emitted by the source contains n photons, η X ,Z det is the detector detection efficiency and p X,Z dc is the average dark count probability of the two detectors associated with each basis. For simplicity we assume that all detectors have the same efficiencies and dark count rates. If they differ, then the security analysis should be adapted to avoid any loopholes introduced by detector efficiency mismatch 20 . We add a pre-attenuation factor η att 13 which can be inserted between the source and the Eve-controlled channel to reduce multiphoton leakage in the high loss regime. The channel transmittance is given by η ch = 10 −l/10 where l is the channel loss in dB. A correction factor c DT is added to account for the dead time of the detectors. For a dead time τ and repetition rate R this correction is of the form The error probability is then given by p X ,Z e = c dt p 0 p X,Z dc + where p mis is the probability of error due to the misalignment of the set-up.
(b) (a) finite key rates using smaller block sizes. b shows the maximum tolerable loss achievable as a function of the acquisition time. This work substantially improves the distance over which a key can be generated compared to ref. 15, particularly for short acquisition times.
For modelling purposes, we will assume that the multiphoton contribution is dominated by the 2-photon component, hence consider a source distribution of the form {p n } = {p 0 , p 1 , p 2 } with emission probabilities of vacuum p 0 , single photons p 1 and two photon states p 2 . Given mean values for photon number 〈n〉 and g 2 ð Þ ð0Þ, Note that the security of the key rate analysis is not compromised by such an assumed form of the photon number distribution as the distribution that only has non-zero {p 0 , p 1 , p 2 } saturates the bound of 13 , and any other distribution consistent with 〈n〉 and g 2 ð Þ ð0Þ will have a lower p m .

Finite key length based on Chernoff bounds
In this section, we follow the method and notation as described in ref. 10 though suitably adapted for the non-decoy single-photon source case which is akin to weak coherent pulse (WCP) protocols before the advent of decoy-state methods 24 .
After basis sifting, the number of events where both Alice and Bob chose the Z and X bases are N X R = N S p 2 X p X click and N Z R = N S p 2 Z p Z click , respectively, these are directly observed. Here, we adopt the convention that the Z basis is used for parameter estimation and the X basis is used to generate the key. The legitimate parties publically compare all the Z basis results to determine thenumber of Z errors m Z = N S p 2 Z p Z e which is then used to estimate the phase error rate ϕ X in the X basis. The X basis results are never directly revealed.
The expected number of received signals that result from nonmultiphoton emissions by Alice (lumping together the vacuum and single photon yields) is given by N X ,Z R,nmp = N X ,Z R À N X ,Z * S,mp where N X ,Z * S,mp = N S p 2 X p m is the expected number (we use * to denote the mean) of sifted multiphoton emissions from Alice in the X, Z basis respectively. We assume that p m can be determined in a pre-calibration phase with negligible uncertainty (similar to the pulse intensities in WCP protocols), else a suitable upper bound can be chosen for p m itself. Here, we assume that all multiphoton pulses are detected by Bob (Eve introducing a lossless channel in this case) and that the remaining detected pulses come from the non-multiphoton fraction (if N X ,Z R >N X ,Z S,mp ). As we do not directly observe the actual number of multiphoton emissions, the actual number N X ,Z S,mp can deviate from N X ,Z * S,mp due to statistical fluctuations, and we need to upper bound the tail probability with error ε PE . The upper Chernoff bound (denoted by the overbar) for a sum of binary variables x = ∑x j with x j ∈ {0, 1} is given by where δ U = β + ffiffiffiffiffiffiffiffiffiffiffiffiffiffi 8βx * + β 2 p 2x * , and β = À log e ðε PE Þ. This can be applied to derive an upper bound to the actual number of multiphoton emissions N X ,Z S,mp , hence lower bound the number of received signals from nonmultiphoton emission events, N X ,Z R,nm in each basis, We note that tighter upper bounds on N X ,Z S,mp could in principle be used, such as those based on the "factorial moment" 25 or the Klar bounds 26 . Practically, the scope for potential improvement is minimal in our case and only possible for the highest tolerable losses of each finite block. These alternate bounds are also less amenable for numerical evaluation for the parameter ranges typical in QKD.
The phase error rate ϕ X now needs to be upper bounded based on the observed number of errors in the Z basis m Z . We conservatively assume that all Z basis errors occur on the received nonmultiphoton fraction, hence we have an estimate of the phase error rate, However, this estimate is the result of N Z R samples in the Z basis but we need to upper bound the phase error rate in the unannounced N X R samples in the X (key generating) basis. For this random sampling without replacement problem and a tail bound error ε, the upper bound of the unobserved value χ can be estimated from the observed value λ by where γ U n,k,λ,ε 0 ð Þ= 1 A = maxfn,kg, ð14Þ under the assumption that 0 < λ < χ < 0.5 which is true for typical QKD scenarios. This now allows us to calculate an upper bound, The secrecy of the protocol is ε sec ≥ ε PA + ε PE + ε EC where: ε PA = ε 0 is the privacy amplification failure probability; ε PE = 2n PE ε 0 is the parameter estimation failure probability where n PE = 2 is the number of constraints as quantified in post-processing; ε EC = ε 0 is the error correction failure probability. Thus, the secrecy comes from setting each failure probability to a common value ε 0 , i.e. ε sec = 6ε 0 . Moreover, the QKD protocol is ε qkd -secure if it is ε cor -correct and ε sec -secret with ε qkd ≥ ε cor + ε sec . We set ε cor = 10 −15 and ε sec = 10 −10 .
This leads to the length of the secure key fraction, where λ EC is the known leakage of information during error correction.
The key rate is then defined as r = ' N S .

Security bounds and secure key rate
The security analysis follows that of 20 using min-entropy and the failure probabilities that appear in Table 2 therein. We use uncertainty relations for bounding Bob's raw key obtained from Alice's raw key and conditioned on Eve's information. Let us first consider Eve's information E and Alice's raw key X A , that is generated by choosing a random sample from N X R;nmp , after the error correction and verification steps. The question is how much information Eve can extract from X A that is completely unknown to her. The probability of guessing X A given E is defined as the classical min-entropy, where p guess X A |E À Á represents the probability of correctly guessing X A applying an optimal extraction strategy having access to E. The optimal strategy means to guess the value x of X with the highest conditional probability p X|E=e (x) for each value e of E. For this process, let us assume that a part X B of X A with length ℓ, that is uniform conditioned on the information E, can be extracted by Bob. In other words, there is a function f s that maps X A to Bob's raw key X B = f s (X A ) considering the quantum state between Alice and Eve ρ X A E is fixed. It has been shown that the probability of guessing X B is p guess X B |E À Á = 2 À' and using Eq. (18) we obtain, where ℓ is the secure key length. Furthermore, because X B comes from mapping X A , the probability of correctly guessing X B has to be greater than the probability of guessing X A . Therefore, these min-entropies can be expressed as the following inequality To extend this to the general case of almost uniform randomness, the smooth min-entropy H ε min X A |E À Á needs to be introduced. This is set as the maximum value of H min X A |E À Á . For privacy amplification, we consider that Alice and Bob apply a two-universal hash function. The Leftover Hashing Lemma 27 gives us an exact equation for the inequality of Eq. (20) using the smooth min-entropy to relate the already mentioned Eve's information E and Alice's raw key X A for the maximum number of extractable bits l that are ε PA -close to uniform, conditioned on E.
We consider leakage λ EC during error correction as well as additional bits for verification. Thus, the information that remains in Eve's system E 0 after error correction is related by, The leakage in one-way protocols is lower bounded as 19 , where H(x) is the binary Shannon entropy, and F À1 ε cor ; n X , 1 À e X À Á is the inverse of the cumulative distribution of the binomial distribution. Achievable rates by practical codes may not achieve this bound for large blocks so we choose the greater estimate of leakage given either by the above or f EC = 1.16 16 .
We use an uncertainty relation for smooth min-entropy to establish a bound between the remaining information that Eve has, E 0 , and Alice's raw key, X A . This reflects that the better Bob can estimate Alice's raw key in the Z basis, the worse Eve can guess Alice's raw key in the X basis, formally expressed as, limited to the non-multiphoton events in the key generation basis X.
Here, q quantifies the efficiency of Bob's orthogonal qubit measurements, in this work we assume q = 1, although in practice the sent states by Alice are not perfect qubits. H ε max Z A |Z B À Á is the smooth maxentropy of Z B conditioned on Z A . If Z B and Z A are highly correlated, we can deduce that H ε max Z A |Z B À Á is small and thus, as the following bound shows 28 , the observed number of errors is small, where ϕ X is the X-basis phase error rate of non-multiphoton events. Finally, the bound for the min-entropy is, Protocol optimisation To maximise the rate and tolerable loss whilst maintaining security, we consider optimisations of the basis bias and signal pre-attenuation that can provide some improvement over standard protocol values, i.e. equal basis choice and no-attenuation. The Efficient BB84 protocol simplifies standard BB84 by utilising one basis for key generation and the other basis for parameter estimation of the phase error rate, without compromising security 29 . In this paper, we adopt the convention that the X basis is used for the key with the Z basis used for phase error rate estimation. Alice and Bob randomly and independently choose their basis for each signal with bias p X and p Z = (1 − p X ). The sifting ratio is 1 À 2p X ð1 À p X Þ > 1 2 for unequal bias, higher than the sifting ratio 1 2 for p X = 1 2 as in standard BB84. Additionally, this simplification also reduces the number of parameters to be estimated, hence improving finite-statistical bounds and the reduction in key length due to composable security parameters 20,[30][31][32][33] . The value of p X can be optimised to balance the amount of raw key bits (proportional to p 2 X ) and parameter estimation signals (proportional to ð1 À p X Þ 2 ). In the asymptotic limit, p X → 1, hence the sifting ratio also approaches unity.
At long distances and high losses, the key rate is limited by the multi-photon emission probability. When the upper bound on the number of multiphoton emission events exceeds the number of detections, then Eve must be assumed to have full information about Alice and Bob's string, hence there can be no secure key. Waks et al. 13 proposed the addition of linear attenuation (characterised by transmission factor η att ) of the signals prior to injection into the quantum channel controlled by Eve. The bound on the multiphoton components is reduced by a factor of η 2 att while the average photon number is only reduced by η att . At high losses and with low dark count rates, the reduction in detection probability (and increase in QBER) may be offset by the greater fraction of Bob's received events being the result of non-multiphoton emissions by Alice, potentially leading to increased key rate and extending the non-zero key rate region to longer ranges.

Data availability
The datasets generated during and/or analysed during the current study are available from the corresponding author upon request.